• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
Background Image
Bennett Jones Logo 100 Years
  • People
  • Expertise
  • Knowledge
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management Environmental, Social & Governance (ESG) Governmental Affairs & Public Policy
View Client Work
Insights News Events
New Energy Economy Series COVID-19 Resource Centre Business Law Talks Podcast
Subscribe
Bennett Jones Centennial Menu
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Cyber Breach at the Ontario Cannabis Store Impacts 4,500 Consumers

November 07, 2018

Written by Ruth Promislow and Katherine Rusk

The Toronto Sun reported this morning that the privacy of 4,500 consumers of recreational cannabis in Ontario has been compromised. The names and addresses of individuals purchasing cannabis through the Ontario Cannabis Store (OCS) website, and the names of the individuals who signed for the package delivery, was accessed by an unidentified individual through the Canada Post online tracking tool in late October or early November.

The OCS has notified the impacted consumers and has reported the breach to the Office of the Privacy Commissioner. Canada Post has announced that it has fixed the loophole and further unauthorized access has been prevented. During the ramp up to legalization and over the past few weeks, the OCS has consistently prioritized the privacy of its consumers. For example, its privacy policy reveals a focus on shipping, stating that "when we ship orders, we deliver in discreet, plain packaging, so the nature of your purchase is not revealed." Privacy has been noted as a major concern for many consumers of cannabis.

But even the most prepared corporation can be at risk when a third-party service provider is breached. Understanding the risk of a cyberattack on your third-party service providers is an integral part of any business arrangement.

Consumers of recreational cannabis in Ontario who are worried about their privacy do not have an alternative legal purchase option at the moment as they are required to purchase from the OCS's website and Canada Post is the only shipping provider.

Addresses and names of consumers are generally considered to be "personal information" under Canada's federal privacy Act, PIPEDA. The OCS breach highlights the risk of attacks and cybersecurity incidents occurring through third-party service providers. While some of the tasks surrounding consumer privacy can be contracted out, the ultimate responsibility for maintaining consumer privacy cannot be delegated.

Third-party vendors are a critical factor in cybersecurity. If you are an organization that engages third-party service providers to assist with processing personal information, you should protect yourself by ensuring that you have a recorded basis for selecting the third-party vendor. This should also ensure that you know the third party has the appropriate safeguards in place. Contractual provisions with third parties should identify items such as:

  • its obligation to safeguard the personal information;
  • its obligation to notify you about security incidents;
  • your ability to oversee and potentially audit its operations as it concerns the personal information it processes on your behalf;
  • who bears the burden of the costs associated with a data security incident; and
  • any requirement that it procure cybersecurity insurance to cover the costs associated with a breach.

The Bennett Jones Cybersecurity group can help review your cybersecurity and privacy preparations to ensure that your organization is ready for when a breach occurs.

PDF Download

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Bennett Jones Marks 100 Years of Service and Trust

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

UPDATED Canadian Sanctions Targeting Russia, Belarus [...]

June 29, 2022
       

Blog

National Indigenous Economic Strategy Rebuilding Indigenous Economies

June 24, 2022
       

Blog

Achieving Net Zero by 2050: The MMV Plan as a Fundamental [...]

June 23, 2022
       

Blog

Anti-Money Laundering Rules Expanded to Include Payment [...]

June 21, 2022
       

Blog

Alberta Court Declines to Extend Limitation Period [...]

June 20, 2022
       
Bennett Jones Centennial Footer 100 Years
Bennett Jones Centennial Footer 100 Years
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2022. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones